eap md5 and cisco 1250 ap?
Hi All, I'm trying to get am MacOS 10.5 client to connect to a cisco 1250 ap running IOS 12.4(10b) authenticating against Freeradius 1.1.7 on Ubuntu (8.04). Yeh md5 is a bad idea, but it should be a simple first step. The only changes I made to the default Freeradius config were to add the client info for the 1250 and one user: jon Cleartext-Password := "password" Freeradius sends: Sending Access-Accept of id 56 to 192.168.32.10 port 1645 EAP-Message = 0x03020004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "jon" Finished request 95 Which the AP sees: *Mar 1 17:13:08.871: RADIUS: Received from id 1645/54 192.168.32.34:1812, Access-Accept, len 49 *Mar 1 17:13:08.871: RADIUS: authenticator 80 F5 FE FA 84 E9 7A EB - C9 D0 0C F2 E5 07 9C 02 *Mar 1 17:13:08.871: RADIUS: EAP-Message [79] 6 *Mar 1 17:13:08.871: RADIUS: 03 02 00 04 [????] *Mar 1 17:13:08.871: RADIUS: Message-Authenticato[80] 18 *Mar 1 17:13:08.871: RADIUS: 61 20 78 47 53 68 E0 80 20 7F 10 04 95 CE 64 9D [a xGSh?? ?????d?] *Mar 1 17:13:08.871: RADIUS: User-Name [1] 5 "jon" *Mar 1 17:13:08.871: RADIUS(000000B0): Received from id 1645/54 *Mar 1 17:13:08.871: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes *Mar 1 17:13:09.919: %DOT11-7-AUTH_FAILED: Station 001e.c2b7.f0de Authentication failed But note the AUTH_FAILED at the. The Mac client then just spins retrying athentication. I must be missing something so stupidly obvious noone else has ever missed it, as I can't seem to find anyone onlline who's had trouble with simple md5 auth... Help? Thanks, -Jon
Jonathan D. Proulx wrote:
I'm trying to get am MacOS 10.5 client to connect to a cisco 1250 ap running IOS 12.4(10b) authenticating against Freeradius 1.1.7 on Ubuntu (8.04).
You cannot use EAP-MD5 for wireless authentication. It's impossible.
Yeh md5 is a bad idea, but it should be a simple first step. The only changes I made to the default Freeradius config were to add the client info for the 1250 and one user:
Or, you could follow the EAP guide for 2.1.x at my web site: http://deployingradius.com It's *very* easy to set up in 2.x. There's even a Mac package in Darwin ports. See the "download" link on the main web page. Alan DeKok.
On Fri, Oct 10, 2008 at 07:23:17PM +0200, Alan DeKok wrote: : You cannot use EAP-MD5 for wireless authentication. It's impossible. Well, that makes it sery simple! : Or, you could follow the EAP guide for 2.1.x at my web site: : :http://deployingradius.com : : It's *very* easy to set up in 2.x. There's even a Mac package in :Darwin ports. See the "download" link on the main web page. I've been sort of following that (Thanks), didn't realize I was a major rev behind, though that explains why certs wasn't a simple "make" in the version I have. so upward (to 2.x) and onward and straight to ttls. Thanks, -jon
On Fri, Oct 10, 2008 at 01:41:15PM -0400, Jonathan D. Proulx wrote: :so upward (to 2.x) and onward and straight to ttls. I seem to have actually gone backward here. Local radtest is now failing with the fresh 2.1.1 install. all default except added a user to users: jon Cleartext-Password := "password" radiusd -s -X seems to start happily but doesn't seem to source the users file, as best I can tell (not listed amoung the many "including configuration file" lines): rad_recv: Access-Request packet from host 127.0.0.1 port 54793, id=121, length=55 User-Name = "jon" User-Password = "password" NAS-IP-Address = 192.168.32.34 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jon", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] users: Matched entry jon at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "password" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jon attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated ???? -Jon
Jonathan D. Proulx wrote:
:so upward (to 2.x) and onward and straight to ttls.
Are you using the 2.x configuration files, or did the install process leave the 1.x versions in place?
I seem to have actually gone backward here. Local radtest is now failing with the fresh 2.1.1 install. all default except added a user to users:
jon Cleartext-Password := "password"
Which should work with the 2.x configuration files.
radiusd -s -X seems to start happily but doesn't seem to source the users file, as best I can tell (not listed amoung the many "including configuration file" lines):
The "files" module will read the "users" file.
[pap] login attempt with password "password" [pap] Using CRYPT encryption.
This isn't in the default configuration files for 2.x. Alan DeKok.
On Sat, Oct 11, 2008 at 07:59:11AM +0200, Alan DeKok wrote: :Jonathan D. Proulx wrote: :> :so upward (to 2.x) and onward and straight to ttls. : : Are you using the 2.x configuration files, or did the install process :leave the 1.x versions in place? The 1.x configs were in /etc/freeradius, the 2.x in /usr/local/etc/raddb. Purging the 1.x config doesn't change the behavior. :> [pap] login attempt with password "password" :> [pap] Using CRYPT encryption. : : This isn't in the default configuration files for 2.x. Hmmm. root@hermia:~# radiusd -v radiusd: FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Oct 10 2008 at 18:11:11 and all the inluded files show on startup are from /usr/local/etc/raddb/ this is the PAP bit from startup: radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } and on closer inspection the files module does seem to be doing the right thing: Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } # grep jon /usr/local/etc/raddb/users jon Cleartext-Password := "password" This was my build: ./configure --enable-strict-dependencies --without-rlm_eap_tnc --without-rlm_sql_oracle --without-rlm_sql_unixodbc make make install Well, I can't think what and you say it should work. It's a new morning and I'm freshly caffinated so I guess I'll rip it all down and try try again. -Jon
hi, if you just install eg 2.1.1 straight over 2.0.5 then it will not have changed or tocuhed any of your existing/modified files in your raddb directory. if you want to 'make sure' then 'mv raddb raddb.old', 'make install' then, edit the raddb/* files again to what you need and re-run. alan
On Sat, Oct 11, 2008 at 03:10:31PM +0100, A.L.M.Buxey@lboro.ac.uk wrote: :hi, : :if you just install eg 2.1.1 straight over 2.0.5 :then it will not have changed or tocuhed any of :your existing/modified files in your raddb directory. this is a fresh install, the previous version was 1.1.7 and located in a completely different place. I've since delected that old install to be doubly sure and removed tne last install of 2.1.1 (rm -rf raddb, and the binary files, libraries and even logs and documentation). After removing my build directory and unpacking a fresh tar ball: ./configure --enable-strict-dependencies --without-rlm_eap_tnc --without-rlm_sql_oracle --without-rlm_sql_unixodbc make make install <add user> # grep jon /usr/local/etc/raddb/usersjon Cleartext-Password := "password" I'm still seeing the odd PAP config, which is perhaps killing the athentication (noops removed for brevity): rad_recv: Access-Request packet from host 127.0.0.1 port 35273, id=127, length=55 User-Name = "jon" User-Password = "password" NAS-IP-Address = 192.168.32.34 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "jon", looking up realm NULL [suffix] No such realm "NULL" ++[unix] returns updated [files] users: Matched entry jon at line 1 ++[files] returns ok ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "password" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} Many thanks -Jon
On Sat, Oct 11, 2008 at 05:24:12PM +0100, A.L.M.Buxey@lboro.ac.uk wrote: :hmmm. try editing modules/pap : :and change auto_header to be 'yes' I think I'm going to bail out on 2.1.1 for now, I reinstalled 1.1.7 generated the requisite keys and it works. I'll revisit 2.x after my current implementation panic is over. Thanks All, -Jon NB. ubuntu's pacakges are not compiled with openssl so tls and friends are missing, https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/255776 details how to edit the packeged sources to include openssl support
Jonathan D. Proulx wrote:
I'm still seeing the odd PAP config, which is perhaps killing the athentication (noops removed for brevity):
rad_recv: Access-Request packet from host 127.0.0.1 port 35273, id=127, length=55 User-Name = "jon" ... ++[unix] returns updated
"jon" is in /etc/passwd.
[files] users: Matched entry jon at line 1
And in the "users" file.
[pap] login attempt with password "password" [pap] Using CRYPT encryption.
Because the /etc/passwd entry was found first. It ignores the clear-text password.
[pap] Passwords don't match
Because the password doesn't match what's in /etc/passwd. Alan DeKok.
On Sat, Oct 11, 2008 at 08:43:52PM +0200, Alan DeKok wrote: :> rad_recv: Access-Request packet from host 127.0.0.1 port 35273, :> id=127, length=55 :> User-Name = "jon" :... :> ++[unix] returns updated : : "jon" is in /etc/passwd. Well spotted thank you! This will let me go back up to 2.x which sounds like it will make my life easier in the long run as I go onto more complex things like restricting users based on ssid and such... -Jon
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Jonathan D. Proulx